82307 matches found
CSV Injection
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to CSV Injection through the postActivityReport process. An attacker can cause arbitrary formula execution in spreadsheet software by injecting a specially crafted User-Agent...
CVE-2026-47422
CVE-2026-47422 affects the Frappe framework. An endpoint in reportview allowed unrestricted access to save_report due to missing permission checks prior to versions 15.107.5 and 16.18.2. The issue is fixed in those versions (15.107.5 and 16.18.2). The provided references include a GitHub advisory...
CVE-2026-55515
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending-find$acceptanceId by global ID without checking access to the related checkoutable asset, allowing a reports user in...
CVE-2026-55452
Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction stores the request User-Agent header and ReportsController::postActivityReport writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a...
CVE-2026-55452
CVE-2026-55452 concerns Snipe-IT (IT asset/license management) where pre-8.5.0 builds store the User-Agent header via Actionlog::logaction() and export it in Activity Report CSV without formula escaping. This allows a low-privileged authenticated user to inject a formula-like payload that can exe...
CVE-2026-55452 Snipe-IT: CSV formula injection in Activity Report export
Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction stores the request User-Agent header and ReportsController::postActivityReport writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a...
CVE-2026-55452 Snipe-IT: CSV formula injection in Activity Report export
Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction stores the request User-Agent header and ReportsController::postActivityReport writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a...
CVE-2026-55515
CVE-2026-55515 affects Snipe-IT prior to version 8.6.2. The unaccepted-assets report delete endpoint erroneously authorizes on a global ID: it allows a reports user in one company to delete pending CheckoutAcceptance records for another company by calling CheckoutAcceptance::pending()->find($a...
CVE-2026-55515 Snipe-IT: Cross-company deletion of pending checkout acceptances via unscoped report endpoint
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending-find$acceptanceId by global ID without checking access to the related checkoutable asset, allowing a reports user in...
CVE-2026-55515 Snipe-IT: Cross-company deletion of pending checkout acceptances via unscoped report endpoint
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending-find$acceptanceId by global ID without checking access to the related checkoutable asset, allowing a reports user in...
CVE-2026-15376
A vulnerability was found in Eleveo Call Recording Software 9.7.0. Affected is an unknown function of the file /callrec/statisticReportAction.do. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. The vendor...
CVE-2026-15376 Eleveo Call Recording Software statisticReportAction.do improper authorization
A vulnerability was found in Eleveo Call Recording Software 9.7.0. Affected is an unknown function of the file /callrec/statisticReportAction.do. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. The vendor...
EUVD-2026-42934
A vulnerability was found in Eleveo Call Recording Software 9.7.0. Affected is an unknown function of the file /callrec/statisticReportAction.do. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. The vendor...
GHSA-XXHW-P6QC-4J2J vulnerabilities
Vulnerabilities for packages: chromium...
WordPress Dokan plugin <= 5.0.6 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by daroo in WordPress Plugin Dokan versions = 5.0.6...
CVE-2026-15332
Technical details about CVE-2026-15332 are not publicly available in the provided documents; monitor for updates.
CVE-2026-59832
creationtimestamp| type| source ---|---|--- 2026-07-10 00:17:11+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqauoqehek25 2026-07-10 03:01:24+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mqb5uebh3r25...
CVE-2026-51924
An issue in docuForm GmbH Client v.11.11c allows a remote attacker to execute arbitrary code via the file upload and report.php component...
GHSA-MXR8-RXWP-G4GX vulnerabilities
Vulnerabilities for packages: chromium...
GHSA-C6M6-6997-FXFH vulnerabilities
Vulnerabilities for packages: chromium...